Abstract

This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped credentials
by web applications, for the purpose of strongly authenticating users. Conceptually, one or more credentials, each scoped to a
given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The
user agent mediates access to scoped credentials in order to preserve user privacy. Authenticators are responsible for ensuring
that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying
parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators,
including their signature and attestation functionality.

Status of this document

This section describes the status of this document at the time of its publication. Other
documents may supersede this document. A list of current W3C publications and the latest revision of this
technical report can be found in the W3C technical
reports index at https://www.w3.org/TR/.

Publication as a Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may
be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite
this document as other than work in progress.

1. Introduction

This section is not normative.

This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped
credentials by web applications, for the purpose of strongly authenticating users. A scoped credential is
created and stored by an authenticator at the behest of a Relying Party, subject to user
consent. Subsequently, the scoped credential can only be accessed by web origins belonging to that Relying Party.
This scoping is enforced jointly by conforming User Agents and authenticators.
Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even
the existence, of credentials scoped to other Relying Parties.

Broadly, compliant authenticators protect scoped credentials, and
interact with user agents to implement the Web Authentication API. Some
authenticators may run on the same computing device (e.g., smart phone, tablet,
desktop PC) as the user agent is running on. For instance, such an authenticator
might consist of a Trusted Execution Environment (TEE) applet, a Trusted
Platform Module (TPM), or a Secure Element (SE) integrated into the computing
device in conjunction with some means for user verification, along with
appropriate platform software to mediate access to these components'
functionality. Other authenticators may operate autonomously from the computing
device running the user agent, and be accessed over a transport such as
Universal Serial Bus (USB), Bluetooth Low Energy (BLE) or Near Field
Communications (NFC).

1.1. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further
scenarios. Additional scenarios, including sample code, are given later in §10 Sample scenarios.

1.1.1. Registration

On a phone:

User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using
(possibly a legacy method such as a password), or creates a new account.

The phone prompts, "Do you want to register this device with example.com?"

1.1.2. Authentication

User navigates to example.com in a browser, sees an option to "Sign in with your phone."

User chooses this option and gets a message from the browser, "Please complete this action on your phone."

Next, on their phone:

User sees a discreet prompt or notification, "Sign in to example.com."

User selects this prompt / notification.

User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."

User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop:

Web page shows that the selected user is signed-in, and navigates to the signed-in page.

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

User navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment
or other financial transaction.

2. Conformance

This specification defines criteria for a Conforming User Agent: A User Agent MUST behave as described in this
specification in order to be considered conformant. Conforming User Agents MAY implement algorithms given in this
specification in any way desired, so long as the end result is indistinguishable from the result that would be obtained by the
specification’s algorithms. A conforming User Agent MUST also be a conforming implementation of the IDL fragments of this
specification, as described in the “Web IDL” specification. [WebIDL-1]

2.1. Dependencies

This specification relies on several other underlying specifications.

HTML5

The concept of origin and the Navigator/dfn> interface are defined in [HTML5].

Web IDL

Many of the interface definitions and all of the IDL in this specification depend on [WebIDL-1]. This updated version of
the Web IDL standard adds support for Promises, which are now the preferred mechanism for asynchronous
interaction in all new web APIs.

DOM

DOMException and the DOMException values used in this specification are defined in [DOM4].

The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined
in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional characters. This is the same encoding as used by JSON Web
Signature (JWS) [RFC7515].

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in [RFC2119].

3. Terminology

Generally, a statement that serves to bear witness, confirm, or authenticate.
In the WebAuthn context, attestation is employed to attest to the provenance of an authenticator and the data it emits;
including, for example: credential IDs, public keys, signature counters, etc.
See also attestation formats, and attestation types.

The concept of a ceremony [Ceremony] is an extension of the concept of a network protocol, with human nodes alongside
computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects
that carry data. What is out-of-band to a protocol is in-band to a ceremony. In this specification, Registration, Authentication, and user verification are ceremonies.

Also known as a Registered Domain[PSL], an eTLD+1 is an effective Top-Level Domain Name (eTLD), plus the
next domain name label, proceeding from right to left. An eTLD is also known as a public suffix[RFC7719].

Note: While the term Relying Party is used in other contexts (e.g., X.509 and OAuth), an entity acting as a Relying Party in one context is
not necessarily a Relying Party in others.

Relying Party Identifier

RP ID

A Relying Party Identifier is derived from a Relying Party’s web origin’s hostname by computing the hostname’s eTLD+1.

Scoped Credential

Generically, a credential is data one entity presents to another in order to authenticate the former’s identity [RFC4949].
A WebAuthn scoped credential is a { identifier, type } pair identifying authentication
information established by the authenticator and the Relying Party, together, at registration time.
The authentication information consists of an asymmetric key pair, where the public key portion is returned to the Relying Party. who
stores it in conjunction with the present user’s account.
The authenticator maps the private key to the Relying Party’s RP ID and stores it.
Subsequently, only that Relying Party, as identified by its RP ID, is able to employ the scoped credential in authentication ceremonies, via the getAssertion() method.
The Relying Party uses its copy of the stored public key to verify the resultant WebAuthn Assertion.

User Consent

User consent means the user agrees with what they are being asked, i.e., it encompasses reading and understanding prompts. User verification encompasses the means employed by the user to indicate consent.

User Verification

The process by which an authenticatorlocally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations, for example through a touch plus pin
code, a password, a gesture (e.g., presenting a fingerprint), or other modality. Note that invocation of said operations
implies use of key material managed by the authenticator.

4. Web Authentication API

This section normatively specifies the API for creating and using scoped credentials. Support for deleting credentials is
deliberately omitted; this is expected to be done through platform-specific user interfaces rather than from a script. The basic
idea is that the credentials belong to the user and are managed by an authenticator, with which the Relying Party interacts through the
client (consisting of the browser and underlying OS platform). Scripts can (with the user’s consent) request the browser to
create a new credential for future use by the Relying Party. Scripts can also request the user’s permission to perform authentication
operations with an existing credential. All such operations are performed in the authenticator and are mediated by the browser
and/or platform on the user’s behalf. At no point does the script get access to the credentials themselves; it only gets
information about the credentials in the form of objects.

The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
holds and manages credentials, ensures that all operations are scoped to a particular web origin, and cannot be replayed against
a different origin, by incorporating the origin in its responses. Specifically, as defined in §5.2 Signature Format, the full
origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as
well as in all assertions produced by WebAuthn credentials.

Additionally, to maintain user privacy and prevent malicious Relying Parties from probing for the presence of credentials belonging to
other Relying Parties, each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
to the authenticator for all operations, and the authenticator ensures that credentials created by a Relying Party can only be used in
operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases
where a single Relying Party maintains multiple web origins.

The client facilitates these security measures by providing correct web origins and RP IDs to the authenticator for each
operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in secure contexts, as defined in [secure-contexts].

The Web Authentication API is defined by the union of the Web IDL fragments presented in the following sections. A combined IDL listing is given in the IDL Index. The API is defined as a part of the Navigator interface:

This interface has two methods, which are described in the following subsections.

4.1.1. Create a new credential (makeCredential() method)

With this method, a script can request the User Agent to create a new credential of a given type and persist it to the
underlying platform, which may involve data storage managed by the browser or the OS. The user agent will prompt the user to
approve this operation. On success, the promise will be resolved with a ScopedCredentialInfo object describing the newly
created credential.

This method takes the following parameters:

The accountInformation parameter specifies information about the user account for which the credential is being
created. This is meant for later use by the authenticator when it needs to prompt the user to select a credential.

The cryptoParameters parameter supplies information about the desired properties of the credential to be created.
The sequence is ordered from most preferred to least preferred. The platform makes a best effort to create the most
preferred credential that it can.

The attestationChallenge parameter contains a challenge intended to be used for generating the attestation
statement of the newly created credential.

When this method is invoked, the user agent MUST execute the following algorithm:

If timeoutSeconds was specified, check if its value lies within a reasonable range as defined by the
platform and if not, correct it to the closest value lying within that range. Set adjustedTimeout to this adjusted value.
If timeoutSeconds was not specified, then set adjustedTimeout to a platform-specific default.

Let promise be a new Promise. Return promise and start a timer for adjustedTimeout seconds.
Then asynchronously continue executing the following steps.

Set callerOrigin to the origin of the caller. Derive the RP ID from callerOrigin by computing the
"public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
part of callerOrigin[PSL]. Let rpId be the lowercase form of this RP ID. Set rpIdHash to the SHA-256 hash of the
UTF-8 encoding of rpId.

Process each element of cryptoParameters using the following steps, to produce a new sequence normalizedParameters:

If current.type does not contain a CredentialType supported by this implementation, then stop processing current and move on to the next element in cryptoParameters.

Let normalizedAlgorithm be the result of normalizing an algorithm using the procedure defined in [WebCryptoAPI],
with alg set to current.algorithm and op set to 'generateKey'. If an error occurs during this procedure, then
stop processing current and move on to the next element in cryptoParameters.

Add a new object of type ScopedCredentialParameters to normalizedParameters, with type set to current.type and algorithm set to normalizedAlgorithm.

While issuedRequests is not empty, perform the following actions depending upon the adjustedTimeout timer and responses
from the authenticators:

If the adjustedTimeout timer expires, then for each entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator’s
entry from issuedRequests. For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

If any authenticator returns an error status, delete the corresponding entry from issuedRequests.

If any authenticator indicates success:

Remove this authenticator’s entry from issuedRequests.

Create a new ScopedCredentialInfo object named value and populate its fields with the values returned from the
authenticator as well as the clientDataJSON computed earlier.

For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and
remove its entry from the list.

Resolve promise with value and terminate this algorithm.

Resolve promise with a DOMException whose name is "NotFoundError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator.

4.1.2. Use an existing credential (getAssertion() method)

This method is used to discover and use an existing scoped credential, with the user’s consent. The script optionally specifies
some criteria to indicate what credentials are acceptable to it. The user agent and/or platform locates credentials matching the
specified criteria, and guides the user to pick one that the script should be allowed to use. The user may choose not to provide
a credential even if one is present, for example to maintain privacy.

This method takes the following parameters:

The assertionChallenge parameter contains a challenge that the selected authenticator is expected to sign to
produce the assertion.

When this method is invoked, the user agent MUST execute the following algorithm:

If timeoutSeconds was specified, check if its value lies within a reasonable range as defined by the
platform and if not, correct it to the closest value lying within that range. Set adjustedTimeout to this adjusted value.
If timeoutSeconds was not specified, then set adjustedTimeout to a platform-specific default.

Let promise be a new Promise. Return promise and start a timer for adjustedTimeout seconds.
Then asynchronously continue executing the following steps.

Set callerOrigin to the origin of the caller. Derive the RP ID from callerOrigin by computing the
"public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
part of callerOrigin[PSL]. Let rpId be the lowercase form of this RP ID. Set rpIdHash to the SHA-256 hash of the
UTF-8 encoding of rpId.

If extensions was specified, process any extensions supported by this client platform, to produce the
extension data that needs to be sent to the authenticator. Call this data clientExtensions.

For each authenticator currently available on this platform, perform the following steps:

If allowList is undefined or empty, let credentialList be an empty list. Otherwise, execute a platform-specific
procedure to determine which, if any, credentials listed in allowList might be present on this authenticator, and
set credentialList to this filtered list. If no such filtering is possible, set credentialList to an empty list.

If the above filtering process concludes that none of the credentials on allowList can possibly be on this
authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator
(if any).

While issuedRequests is not empty, perform the following actions depending upon the adjustedTimeout timer and responses
from the authenticators:

If the timer for adjustedTimeout expires, then for each entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and remove its entry from the list.

If any authenticator returns a status indicating that the user cancelled the operation, delete that authenticator’s entry
from issuedRequests. For each remaining entry in issuedRequests invoke the authenticatorCancel operation on
that authenticator, and remove its entry from the list.

If any authenticator returns an error status, delete the corresponding entry from issuedRequests.

If any authenticator returns success:

Remove this authenticator’s entry from issuedRequests.

Create a new WebAuthnAssertion object named value and populate its fields with the values returned from the
authenticator as well as the clientDataJSON computed earlier.

For each remaining entry in issuedRequests invoke the authenticatorCancel operation on that authenticator and
remove its entry from the list.

Resolve promise with value and terminate this algorithm.

Resolve promise with a DOMException whose name is "NotFoundError", and terminate this algorithm.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator with which to complete the operation.

4.2. ScopedCredentialInfo Interface

This interface represents a newly-created scoped credential. It contains information about the credential that can be used
to locate it later for use, and also contains metadata that can be used by the Relying Party to assess the strength of the
credential during registration.

The credential attribute contains a unique identifier for the credential represented by this object.

The attestation attribute contains a key attestation statement returned by the authenticator. This provides
information about the credential and the authenticator it is held in, such as the level of security assurance provided by
the authenticator.

4.3. User Account Information (dictionary Account)

This dictionary is used by the caller to specify information about the user account and Relying Party with which a credential
is to be associated. It is intended to help the authenticator in providing a friendly credential selection interface for the
user.

The rpDisplayName member contains the friendly name of the Relying Party, such as "Acme Corporation", "Widgets Inc" or
"Awesome Site".

The displayName member contains the friendly name associated with the user account by the Relying Party, such as "John P.
Smith".

The name member contains a detailed name for the account, such as "john.p.smith@example.com".

The id member contains an identifier for the account, stored for the use of the Relying Party. This is not meant to be
displayed to the user.

The imageURL member contains a URL that resolves to the user’s account image. This may be a URL that can be used
to retrieve an image containing the user’s current avatar, or a data URI that contains the image data.

This dictionary is used to supply additional parameters when creating a new credential.

The type member specifies the type of credential to be created.

The algorithm member specifies the cryptographic signature algorithm with which the newly generated credential
will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.

This dictionary is used to supply additional options when creating a new credential. All these parameters are optional.

The timeoutSeconds parameter specifies a time, in seconds, that the caller is willing to wait for the call to
complete. This is treated as a hint, and may be overridden by the platform.

The excludeList parameter is intended for use by Relying Parties that wish to limit the creation of multiple
credentials for the same account on a single authenticator. The platform is requested to return an error if the new
credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.

The extensions parameter contains additional parameters requesting additional processing by the client and
authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create
the credential, or that additional information be returned in the attestation statement. Alternatively, the caller may
specify an additional message that they would like the authenticator to display to the user. Extensions are defined in §7 WebAuthn Extensions.

4.6. WebAuthn Assertion (interface WebAuthnAssertion)

Scoped credentials produce a cryptographic signature that provides proof of possession of a private key as well as evidence of
user consent to a specific transaction. The structure of these signatures is defined as follows.

The credential member represents the credential that was used to generate this assertion.

This dictionary is used to supply additional options when generating an assertion. All these parameters are optional.

The optional timeoutSeconds parameter specifies a time, in seconds, that the caller is willing to wait for the
call to complete. This is treated as a hint, and may be overridden by the platform.

The optional allowList member contains a list of credentials acceptable to the caller, in order of the caller’s
preference.

The optional extensions parameter contains additional parameters requesting additional processing by the client
and authenticator. For example, if transaction confirmation is sought from the user, then the prompt string would be
included in an extension. Extensions are defined in a companion specification.

4.8. WebAuthn Assertion Extensions (dictionary WebAuthnExtensions)

This is a dictionary containing zero or more extensions as defined in §7 WebAuthn Extensions. An extension is an additional parameter
that can be passed to the getAssertion() method and triggers some additional processing by the client platform and/or the
authenticator.

If the caller wants to pass extensions to the platform, it SHOULD do so by adding one entry per extension to this dictionary
with the extension identifier as the key, and the extension’s value as the value (see §5.2 Signature Format for details).

4.9. Credential Attestation Statement (interface WebAuthnAttestation)

Authenticators also provide some form of attestation. The basic requirement is that the authenticator can produce, for each
credential public key, attestation information that can be verified by a Relying Party. Typically, this information contains a
signature by an attesting key over the attested public key and a challenge, as well as a certificate or similar information
providing provenance information for the attesting key, enabling a trust decision to be made.

The type member specifies the type of attestation statement contained in this structure. This specification
defines a number of attestation formats, in §6 Defined Attestation Formats. Other attestation formats may be defined in
later versions of this specification.

The statement element contains the actual attestation statement. The structure of this object depends on the
attestation format. For more details, see §5.3 Credential Attestation Statements.

This attestation statement is delivered to the Relying Party by the Relying Party’s script running on the client, using methods outside
the scope of this specification. It contains all the information that the Relying Party’s server requires to validate the statement, as
well as to decode and validate the bindings of both the client and authenticator data.

4.10. Supporting Data Structures

The scoped credential type uses certain data structures that are specified in supporting specifications. These are as follows.

The client data represents the contextual bindings of both the Relying Party and the client platform. It is a key-value mapping with
string-valued keys. Values may be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL.

The tokenBinding member contains the base64url encoding of the Token Binding ID that this client uses for the
Token Binding protocol when communicating with the Relying Party. This can be omitted if no Token Binding has been negotiated between
the client and the Relying Party.

The optional extensions member contains additional parameters generated by processing the extensions passed in
by the Relying Party. WebAuthn extensions are detailed in Section §7 WebAuthn Extensions.

This structure is used by the client to compute the following quantities:

4.10.2. Credential Type enumeration (enum CredentialType)

This enumeration defines the valid credential types. It is an extension point; values may be added to it in the future, as
more credential types are defined. The values of this enumeration are used for versioning the WebAuthn assertion and
attestation statement according to the type of the authenticator.

4.10.3. Unique Identifier for Credential (interface Credential)

This interface contains the attributes that are returned to the caller when a new credential is created, and can be used later
by the caller to select a credential for use.

The type attribute contains a value of type CredentialType, indicating the specification and version that
this credential conforms to.

The id attribute contains an identifier for the credential, chosen by the platform with help from the
authenticator. This identifier is used to look up credentials for use, and is therefore expected to be globally unique with
high probability across all credentials of the same type, across all authenticators. This API does not constrain the format
or length of this identifier, except that it must be sufficient for the platform to uniquely select a key. For example, an
authenticator without on-board storage may create identifiers that consist of the key material wrapped with a key that is
burned into the authenticator.

4.10.4. Credential Descriptor (dictionary CredentialDescription)

This dictionary contains the attributes that are specified by a caller when referring to a credential as an input parameter to
the makeCredential() or getAssertion() method. It mirrors the fields of the Credential object returned by these methods.

The type attribute contains the type of the credential the caller is referring to.

The id attribute contains the identifier of the credential that the caller is referring to.

A string or dictionary identifying a cryptographic algorithm and optionally a set of parameters for that algorithm. This type is
defined in [WebCryptoAPI].

5. WebAuthn Authenticator model

The API defined in this specification implies a specific abstract functional model for an authenticator. This section
describes the authenticator model. Client platforms may implement and expose this abstract model in any way desired. However,
the behavior of the client’s Web Authentication API implementation, when operating on the authenticators
supported by that platform, MUST be indistinguishable from the behavior specified in §4 Web Authentication API.

In this abstract model, each authenticator stores some number of scoped credentials. Each scoped credential has an identifier
which is unique (or extremely unlikely to be duplicated) among all scoped credentials. Each credential is also associated with a Relying Party, whose identity is represented by a Relying Party Identifier (RP ID).

5.1. Authenticator operations

A client must connect to an authenticator in order to invoke any of the operations of that authenticator. This connection
defines an authenticator session. An authenticator must maintain isolation between sessions. It may do this by only allowing one
session to exist at any particular time, or by providing more complicated session management.

The following operations can be invoked by the client in an authenticator session.

5.1.1. The authenticatorMakeCredential operation

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

The SHA-256 hash of the caller’s RP ID, as determined by the user agent and the client.

A list of Credential objects provided by the Relying Party with the intention that, if any of these are known to the authenticator,
it should not create a new credential.

Extension data created by the client based on the extensions requested by the Relying Party.

When this operation is invoked, the authenticator obtains user consent for creating a new credential. The prompt for obtaining
this consent is shown by the authenticator if it has its own output capability, or by the user agent otherwise. Once user
consent is obtained, the authenticator generates the appropriate cryptographic keys and creates a new credential. It also
generates an identifier for the credential, such that this identifier is globally unique with high probability across all
credentials with the same type across all authenticators. It then associates the credential with the specified RP ID hash such
that it will be able to retrieve the RP ID hash later, given the credential ID. Finally, it generates an attestation statement
that describes its own attributes as well as some attributes of the credential. For more details on attestation, see §5.3 Credential Attestation Statements.

On successful completion of this operation, the authenticator returns the following to the client:

The type and unique identifier of the new credential.

The public key associated with the new credential.

The attestation statement, including information about the attestation format used.

If the user refuses consent, the authenticator returns an appropriate error status to the client.

5.1.2. The authenticatorGetAssertion operation

This operation must be invoked in an authenticator session which has no other operations in progress. It takes the following
input parameters:

The SHA-256 hash of the caller’s RP ID, as determined by the user agent and the client.

A list of credentials acceptable to the Relying Party (possibly filtered by the client).

Extension data created by the client based on the extensions requested by the Relying Party.

When this method is invoked, the authenticator allows the user to select a credential from among the credentials associated with
that Relying Party (as determined by an exact match of the RP ID hash) and matching the specified criteria, then obtains user consent
for using that credential. The prompt for obtaining this consent may be shown by the authenticator if it has its own output
capability, or by the user agent otherwise. Once a credential is selected and user consent is obtained, the authenticator
computes a cryptographic signature using the credential’s private key and constructs an assertion signature as specified in §5.2 Signature Format.

On successful completion, the authenticator returns to the user agent:

If the authenticator cannot find any credential corresponding to the specified Relying Party that matches the specified criteria, it
terminates the operation and returns an error.

If the user refuses consent, the authenticator returns an appropriate error status to the client.

5.1.3. The authenticatorCancel operation

This operation takes no input parameters and returns no result.

When this operation is invoked by the client in an authenticator session, it has the effect of terminating any authenticatorMakeCredential or authenticatorGetAssertion operation currently in progress in that authenticator
session. The authenticator stops prompting for, or accepting, any user input related to authorizing the canceled operation. The
client ignores any further responses from the authenticator for the canceled operation.

5.2. Signature Format

WebAuthn signatures are bound to various contextual data. These data are observed, and added at different levels of the stack as
a signature request passes from the server to the authenticator. In verifying a signature, the server checks these bindings
against expected values.

The components of a system using WebAuthn can be divided into three layers:

The Relying Party (RP), which uses the WebAuthn services. The RP consists of a server component and a web-application running
in a browser.

The WebAuthn Client platform, which consists of the User Agent and the OS and device on which it executes.

The Authenticator itself, which provides key management and cryptographic signatures. This may be embedded in the
WebAuthn client, or housed in a separate device entirely. In the latter case, the interface between the WebAuthn client and
the authenticator is a separately-defined protocol.

This specification defines the common signature format shared by all the above layers. This includes how the different
contextual bindings are encoded, signed over, and delivered to the RP.

The goals of this design can be summarized as follows.

The scheme for generating signatures should accommodate cases where the link between the client platform and authenticator
is very limited, in bandwidth and/or latency. Examples include Bluetooth Low Energy and Near-Field Communication.

The data processed by the authenticator should be small and easy to interpret in low-level code. In particular, authenticators
should not have to parse high-level encodings such as JSON.

Both the client platform and the authenticator should have the flexibility to add contextual bindings as needed.

The design aims to reuse as much as possible of existing encoding formats in order to aid adoption and implementation.

The contextual bindings are divided in two: Those added by the RP or the client platform, referred to as client data; and those
added by the authenticator, referred to as the authenticator data. The client data must be signed over, but an authenticator is
otherwise not interested in its contents. To save bandwidth and processing requirements on the authenticator, the client
platform hashes the ClientData and sends only the result to the authenticator. The authenticator signs over the combination of
this clientDataHash, and its own authenticator data.

5.2.1. Authenticator data

The authenticator data encodes contextual bindings made by the authenticator itself. The authenticator data has a compact
but extensible encoding. This is desired since authenticators can be devices with limited capabilities and low power
requirements, with much simpler software stacks than the client platform components.

The encoding of authenticator data is a byte array of 37 bytes or more, as follows.

Byte index

Description

0-31

SHA-256 hash of the RP ID associated with the credential.

32

Flags (bit 0 is the least significant bit):

Bit 0: Test of User Presence (TUP) result.

Bits 1-6: Reserved for future use (RFU).

Bit 7: Extension data included (ED). Indicates if the authenticator data has extensions.

33-36

Signature counter (signCount), 32-bit unsigned big-endian integer.

37-

Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and
extension authenticator data values as values. See §7 WebAuthn Extensions for details.

Note that the RP ID hash is originally received from the client when the credential is created, and again when an assertion is
generated. However, it differs from other client data in some important ways. First, unlike the client data, the RP ID of a
credential does not change between operations but instead remains the same for the lifetime of that credential. Secondly, it is
validated by the authenticator during the authenticatorGetAssertion operation, by making sure that the RP ID hash
associated with the requested credential exactly matches the RP ID hash supplied by the client. These differences also explain
why the RP ID hash is always a SHA-256 hash instead of being crypto-agile like the clientDataHash; for a given RP ID, we
need the hash to be computed the same way by all clients for all operations so that authenticators can roam among clients
without losing interoperability.

The TUP flag SHALL be set if and only if the authenticator detected a user through an authenticator specific gesture. The RFU bits in the flags byte SHALL be set to zero.

If the authenticator does not include any extension data, it MUST set the ED flag in the first byte to zero, and to one if
extension data is included.

The figure below shows a visual representation of the authenticator data structure.

authenticatorData layout.

Note: The authenticatorData describes its own length: If the ED flag is not set, it is always 37 bytes long. If the ED flag is set,
it is 37 bytes plus the CBOR map that follows.

5.2.2. Generating a signature

A raw cryptographic signature must assert the integrity of both the client data and the authenticator data. Thus, an authenticator SHALL compute a signature over the concatenation of the authenticatorData and the clientDataHash.

Generating a signature on the authenticator.

Note: A simple, undelimited concatenation is safe to use here because the authenticatorData describes its own length. The clientDataHash (which potentially has a variable length) is always the last element.

5.3. Credential Attestation Statements

An attestation statement is a specific type of signature, which contains statements about a credential itself and the
authenticator that holds it. Therefore, the procedures for generating attestation statements closely parallel those for
generating WebAuthn assertions as described in §5.2 Signature Format, though the semantics of the contextual bindings are quite
different.

This specification defines a number of attestation formats, i.e., ways to serialize the data being attested to by an Authenticator. The reason is to be able to support existing devices such as TPMs and other platform-specific formats.
Each attestation format provides the ability to cryptographically attest to a public key, the authenticator model, and
contextual data to a remote party. They differ in the details of how the attestation statement is laid out, and how its
components are computed. The different attestation formats are defined in §6 Defined Attestation Formats.

This specification also defines a number of attestation types. These define how a Relying Party establishes trust in a
particular attestation statement, after verifying that it is cryptographically valid.

Attestation formats are orthogonal to attestation types, i.e. attestation formats in general are not restricted to a single
attestation type. For example, the "packed" attestation format (see below) can be used in conjunction with all attestation types.
Broadly speaking, attestation formats pertain to the formatting / encoding of the attestation statement
rawData, while attestation types pertain to the semantics.
The privacy, the security and the operational characteristic of attestation mainly depends
on the attestation type while it is largely independent from the attestation format.
Specific privacy considerations are given in §5.3.3.1 Privacy.

5.3.1. Attestation Types

WebAuthn supports multiple attestation types:

Full Basic Attestation

In the case of full basic attestation [UAFProtocol], the Authenticator’s attestation private key is specific to an
Authenticator model. That means that an Authenticator of the same model typically shares the same attestation private key.
This model is also used for FIDO UAF 1.0 and FIDO U2F 1.0.

Surrogate Basic Attestation

In the case of surrogate basic attestation [UAFProtocol], the Authenticator doesn’t have any specific attestation key.
Instead it uses the authentication key to (self-)sign the (surrogate) attestation message. Authenticators without meaningful
protection measures for an attestation private key typically use this attestation type.

Privacy CA

In this case, the Authenticator owns an authenticator-specific (endorsement) key. This key is used to securely communicate
with a trusted third party, the Privacy CA. The Authenticator can generate multiple attestation key pairs and asks the
Privacy CA to issue an attestation certificate for it. Using this approach, the Authenticator can limit the exposure of the
endorsement key (which is a global correlation handle) to Privacy CA(s). Attestation keys can be requested for each scoped
credential individually.

Note: This concept typically leads to multiple attestation certificates. The attestation certificate requested most recently
is called "active".

Direct Anonymous Attestation (DAA)

In this case, the Authenticator receives DAA credentials from a single DAA-Issuer. These DAA credentials are used along with
blinding to sign the attestation data. The concept of blinding avoids the DAA credentials being misused as global
correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA (see [FIDOEcdaaAlgorithm]) in this specification.

Compliant servers MUST support all attestation types. Authenticators MAY choose which attestation type to implement.

Note: Relying Parties can always decide what attestation types are acceptable to them by policy.

5.3.2. Verifying an Attestation Statement

This section outlines the recommended algorithm for verifying an attestation statement, independent of attestation format.

Upon receiving an attestation statement, the Relying Party shall:

Verify that the attestation statement is properly formatted.

If alg is not ECDAA (e.g., not "ED256" and not "ED512"):

Look up the attestation root certificate from a trusted source.
For example, the FIDO Metadata Service [FIDOMetadataService] provides
one way to access such information. The claimedAAGUID can be used for this lookup.

Verify that the attestation certificate chain is valid and chains up to a trusted root (following [RFC5280]).

Verify that the attestation certificate has the right Extended Key Usage (EKU) based on the WebAuthn Authenticator type
(as denoted by the type member). In case of a type="tpm", this EKU shall be OID "2.23.133.8.3". Defined attestation
formats are in §6 Defined Attestation Formats.

If the attestation format is "android", verify that the attestation certificate is issued to the hostname
"attest.android.com" (see SafetyNet online documentation).

Verify that all issuing CA certificates in the chain are valid and not revoked.

Verify the signature on rawData using the attestation certificate public key and algorithm as identified by alg.

Verify rawData syntax and that it doesn’t contradict the signing algorithm specified in alg.

Verify that user verification method and other authenticator characteristics related to this authenticator model, match the
Relying Party policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain authenticator
characteristics.

The Relying Party MAY take any of the below actions when verification of an attestation statement fails:

Reject the request, such as a registration request, associated with the attestation statement.

Accept the request associated with the attestation statement but treat the attested Scoped Credential as one with surrogate
basic attestation (see §5.3.1 Attestation Types), if policy allows it. If doing so, there is no cryptographic proof
that the Scoped Credential has been generated by a particular Authenticator model. See [FIDOSecRef] and [UAFProtocol] for more details on the relevance to attestation.

Verification of attestation statements requires that the relying party trusts the root of the attestation certificate chain.
Also, the Relying Party must have access to certificate status information for the intermediate CA certificates. The relying party must
also be able to build the attestation certificate chain if the client didn’t provide this chain in the attestation information.

5.3.3. Security Considerations

5.3.3.1. Privacy

Attestation keys may be used to track users or link various online identities of the same user together. This may be mitigated
in several ways, including:

A WebAuthn Authenticator manufacturer may choose to ship all of their devices with the same (or a fixed number of)
attestation key(s) (called Full Basic Attestation). This will anonymize the user at the risk of not being able to revoke a
particular attestation key should its WebAuthn Authenticator be compromised.

A WebAuthn Authenticator may be capable of dynamically generating different attestation keys (and requesting related
certificates) per origin (following the Privacy CA approach). For example, a WebAuthn Authenticator can ship with a master
attestation key (and certificate), and combined with a cloud operated privacy CA, can dynamically generate per origin
attestation keys and attestation certificates.

A WebAuthn Authenticator can implement direct anonymous attestation (see [FIDOEcdaaAlgorithm]). Using this scheme, the
authenticator generates a blinded attestation signature. This allows the Relying Party to verify the signature using the DAA root
key, but the attestation signature doesn’t serve as a global correlation handle.

When an intermediate CA or a root CA used for issuing attestation certificates is compromised, WebAuthn Authenticator attestation keys are still safe although their certificates can no longer be trusted. A WebAuthn Authenticator manufacturer that
has recorded the public attestation keys for their devices can issue new attestation certificates for these keys from a new
intermediate CA or from a new root CA. If the root CA changes, the Relying Parties must update their trusted root certificates
accordingly.

A WebAuthn Authenticator attestation certificate must be revoked by the issuing CA if its key has been compromised. A WebAuthn
Authenticator manufacturer may need to ship a firmware update and inject new attestation keys and certificates into already
manufactured WebAuthn Authenticators, if the exposure was due to a firmware flaw. (The process by which this happens is out of
scope for this specification.) No further valid attestation statements can be made by the affected WebAuthn Authenticators
unless the WebAuthn Authenticator manufacturer has this capability.

If attestation certificate validation fails due to a revoked intermediate attestation CA certificate, and the Relying Party’s policy
requires rejecting the registration/authentication request in these situations, then it is recommended that the Relying Party also
un-registers (or marks as "surrogate attestation" (see §5.3.1 Attestation Types), policy permitting) scoped credentials that
were registered post the CA compromise date using an attestation certificate chaining up to the same intermediate CA. It is thus
recommended that Relying Parties remember intermediate attestation CA certificates during Authenticator registration in order to
un-register related Scoped Credentials if the registration was performed after revocation of such certificates.

If a DAA attestation key has been compromised, it can be added to the RogueList (i.e., the list of revoked authenticators)
maintained by the related DAA-Issuer. The Relying Party should verify whether an authenticator belongs to the RogueList when performing
DAA-Verify. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to access such information.

5.3.3.3. Attestation Certificate Hierarchy

A 3-tier hierarchy for attestation certificates is recommended (i.e., Attestation Root, Attestation Issuing CA, Attestation
Certificate). It is also recommended that for each WebAuthn Authenticator device line (i.e., model), a separate issuing CA is
used to help facilitate isolating problems with a specific version of a device.

If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
must be specified either in the attestation certificate itself or it must be specified in rawData.

6. Defined Attestation Formats

WebAuthn supports pluggable attestation data formats. This allows support of TPM generated attestation data as well as support
of other WebAuthn authenticators. As mentioned in §5.3 Credential Attestation Statements, these differ in how the attestation
statement is computed and formatted. This section defines these details.

The contents of the attestation data must be controlled (i.e., generated or at least verified) by the authenticator itself.

6.1. Packed Attestation ("packed")

Packed attestation is a WebAuthn optimized format of attestation data. It uses a very compact but still extensible encoding
method. Encoding this format can even be implemented by authenticators with very limited resources (e.g., secure
elements).

The version member specifies the version number of the rawData object. Only version="1" is defined at this time.

The claimedAAGUID element contains the claimed Authenticator Attestation GUID (a version 4 GUID, see [RFC4122]). This value is used by the Relying Party to look up the trust anchor for verifying the following signature. If
the verification succeeds, the AAGUID related to the trust anchor is trusted. This field MUST be present, if either no
attestation certificates are used (e.g., DAA) or if the attestation certificate doesn’t contain the AAGUID value in an
extension.

The x5c attribute contains the attestation certificate and its certificate chain as described in [RFC7515] section 4.1.6.

The alg element contains the name of the algorithm used to generate the attestation signature according to [RFC7518] section 3.1.

The signature element contains the attestation signature. See §6.1.2 Signature for details.

6.1.1. Attestation rawData

The attestation data encodes contextual bindings made by the authenticator itself. Unlike client data, the authenticator
data has a compact but extensible encoding. This is desired since authenticators can be devices with limited capabilities and
low power requirements, with much simpler software stacks than the client platform components.

The field rawData for this type is a variable-length byte array, consisting of various fixed-length and variable-length fields
arranged as given below:

Length (in bytes)

Description

2

0xF1D0, fixed big-endian TAG to make sure this object won’t be confused with other (non-WebAuthn) binary objects.

Extension-defined authenticator data. This is a CBOR [RFC7049] map with extension identifiers as keys, and
extension authenticator data values as values. See §7 WebAuthn Extensions for a description of the extension mechanism.
See §8 Pre-defined extensions for pre-defined extensions.

The TUP flag SHALL be set if and only if the authenticator detected a user through an authenticator-specific gesture.
The RFU bits in the flags byte SHALL be cleared (i.e., zeroed).

Note: The authenticator model (identified by the AAGUID) can be derived from

here, or

from the attestation certificate (if we have an authenticator specific or authenticator model specific attestation
certificate), or

from the claimed AAGUID in the client encoded attestation statement (if there is one attestation root certificate
per authenticator model).

In the case of DAA there is no need for an X.509 attestation certificate hierarchy. Instead the trust anchor being
known to the Relying Party is the DAA root key (i.e., ECPoint2 X, Y). This root key must be dedicated to a single
authenticator model.

If the authenticator does not wish to add extensions, it MUST clear the ED flag in the third byte.

6.1.2. Signature

The signature is computed over the rawData field. The following algorithms must be implemented by servers:

The Basic Constraints extension MUST have the CA component set to false

An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are both optional as the status of many attestation certificates is available through authenticator metadata services.
See, for example, the FIDO Metadata Service [FIDOMetadataService].

6.2. TPM Attestation ("tpm")

This attestation format returns an attestation statement in the same format as defined in §6.1 Packed Attestation ("packed"). However, the rawData and signature fields are computed differently, as described below.

6.2.1. Attestation rawData

The value of rawData is either a TPMCERTIFY_INFO or a TPM_CERTIFYINFO2 structure [TPMv1-2-Part2] sections 11.1 and 11.2,
if version equals 1. Else, if version equals 2, it MUST be a TPMS_ATTEST structure as defined in [TPMv2-Part2] section
10.12.9.

The field "extraData" (in the case of TPMSATTEST) or the field "data" (in the case of TPM_CERTIFY_INFO or TPM_CERTIFYINFO2)
MUST contain the clientDataHash (see §5.2 Signature Format).

6.2.2. Signature

If version equals 1, (i.e., for TPM 1.2), RSASSA-PKCS1-v1_5 signature algorithm (section 8.2 of [RFC3447]) can be used by
WebAuthn Authenticators (i.e., alg="RS256").

If version equals 2, the following algorithms can be used by WebAuthn Authenticators:

TPMALG_RSASSA (0x14). This is the same algorithm RSASSA-PKCS1-v15 as for version 1 but for use with TPMv2. alg="RS256".

TPMALGRSAPSS (0x16); alg="PS256".

TPMALGECDSA (0x18); alg="ES256".

TPMALGECDAA (0x1A); alg="ED256".

TPMALGSM2 (0x1B); alg="SM256".

Relying Parties must implement all the algorithms implemented by the authenticators that they support.

The Basic Constraints extension MUST have the CA component set to false

An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point extension [RFC5280] are
both optional as the status of many attestation certificates is available through metadata services.
See, for example, the FIDO Metadata Service [FIDOMetadataService].

6.3. Android Attestation (type="android")

When the Authenticator in question is a platform-provided Authenticator on the Android platform, the attestation
statement is based on the SafetyNet
API.

6.3.2. Verifying AndroidClientData specific contextual bindings

Check that AndroidAttestationClientData.challenge equals the attestationChallenge that was passed into the makeCredential() call.

Check that the origin and tokenBinding parameters in the AndroidAttestationClientData match
the Relying Party App.

Check that AndroidAttestationClientData.publicKey is the same key as the one returned in the ScopedCredentialInfo by the makeCredential call.

Check that the hash of the clientDataJSON matches the nonce attribute in the payload of the safetynetResponse JWS.

Check that the ctsProfileMatch attribute in the payload of the safetynetResponse is true.

Check that the apkPackageName attribute in the payload of the safetynetResponse matches package name of the application
calling SafetyNet API.

Check that the apkDigestSha256 attribute in the payload of the safetynetResponse matches the package hash of the
application calling SafetyNet API.

Check that the apkCertificateDigestSha256 attribute in the payload of the safetynetResponse matches the hash of the
signing certificate of the application calling SafetyNet API.

7. WebAuthn Extensions

The mechanism for generating scoped credentials, as well as requesting and generating WebAuthn assertions, as defined in §4 Web Authentication API, can be extended to suit particular use cases. Each case is addressed by defining a registration extension and/or
an authentication extension. Extensions can define additions to the following steps and data:

Client processing, and the ClientData structure, for registration extensions and authentication extensions.

Authenticator processing, and the authenticatorData structure, for registration extensions and authentication
extensions.

When requesting an assertion for a scoped credential, a Relying Party can list a set of extensions to be used, if they are supported by
the client and/or the authenticator. It sends the client arguments for each extension in the getAssertion() call (for
authentication extensions) or makeCredential() call (for registration extensions) to the client platform. The client
platform performs additional processing for each extension that it supports, and augments ClientData as required by the
extension. In addition, the client collects the authenticator arguments for the above extensions, and passes them to the
authenticator in the authenticatorMakeCredential call (for registration extensions) or authenticatorGetAssertion call (for authentication extensions). These authenticator arguments are passed as name-value pairs, with the extension
identifier as the name, and the corresponding authenticator argument as the value. The authenticator, in turn, performs
additional processing for the extensions that it supports, and augments authenticatorData as specified by the extension.

All WebAuthn extensions are optional for both clients and authenticators. Thus, any extensions requested by a Relying Party may be
ignored by the client browser or OS and not passed to the authenticator at all, or they may be ignored by the authenticator.
Ignoring an extension is never considered a failure in WebAuthn API processing, so when Relying Parties include extensions with any API
calls, they must be prepared to handle cases where some or all of those extensions are ignored.

Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not
recognize to authenticators, generating the authenticator argument by simply encoding the client argument in CBOR. All
WebAuthn extensions MUST be defined in such a way that this implementation choice does not endanger the user’s security or
privacy. For instance, if an extension requires client processing, it could be defined in a manner that ensures such a naïve
pass-through will produce a semantically invalid authenticator argument, resulting in the extension being ignored by the
authenticator. Since all extensions are optional, this will not cause a functional failure in the API operation.

7.1. Extension identifiers

Extensions are identified by a string, chosen by the extension author. Extension identifiers should aim to be globally unique,
e.g., by including the defining entity such as myCompany_extension.

Extensions that may exist in multiple versions should take care to include a version in their identifier. In effect, different
versions are thus treated as different extensions, e.g., myCompany_extension_01

Extensions defined in this specification use a fixed prefix of webauthn for the extension identifiers. This prefix should not
be used for extensions not defined by the W3C.

7.2. Defining extensions

A definition of an extension must specify, at minimum, an extension identifier and an extension client argument sent via the getAssertion() or makeCredential() call. Additionally, extensions may specify additional values in ClientData, authenticatorData (in the case of authentication extensions), or both. Finally, if the extension requires any authenticator
processing, it must also specify an authenticator argument to be sent via the authenticatorGetAssertion or authenticatorMakeCredential call.

Any extension that requires client processing MUST specify a method of augmenting ClientData that unambiguously lets the
Relying Party know that the extension was honored by the client. Similarly, any extension that requires authenticator processing MUST
specify a method of augmenting authenticatorData to let the Relying Party know that the extension was honored by the authenticator.

7.3. Extending request parameters

An extension defines up to two request arguments. The client argument is passed from the Relying Party to the client
in the getAssertion() or makeCredential() call, while the authenticator argument is passed from the client
to the authenticator during the processing of these calls.

A Relying Party simultaneously requests the use of an extension and sets its client argument by including an entry in the extensions option to the makeCredential() or getAssertion() call. The entry key MUST be the
extension identifier, and the value MUST be the client argument.

Extension definitions MUST specify the valid values for their client argument. Clients SHOULD ignore extensions with an invalid
client argument. If an extension does not require any parameters from the Relying Party, it SHOULD be defined as taking a Boolean client
argument, set to true to signify that the extension is requested by the Relying Party.

Extensions that only affect client processing need not specify an authenticator argument. Extensions that affect authenticator
processing MUST specify a method of computing the authenticator argument from the client argument. For extensions that do not
require additional parameters, and are defined as taking a Boolean client argument set to true, this method SHOULD consist of
passing an authenticator argument of true (CBOR major type 7, value 21).

Note: Extensions should aim to define authenticator arguments that are as small as possible. Some authenticators communicate
over low-bandwidth links such as Bluetooth Low-Energy or NFC.

7.4. Extending client processing

Extensions may define additional processing requirements on the client platform during the creation of credentials or the
generation of an assertion. In order for the Relying Party to verify the processing took place, or if the processing has a result
value that the Relying Party needs to be aware of, the extension should specify a client data value to be included in the ClientData structure.

The client data value may be any value that can be encoded using JSON. If any extension processed by a client defines such a
value, the client SHOULD include a dictionary in ClientData with the key extensions. For each such
extension, the client SHOULD add an entry to this dictionary with the extension identifier as the key, and the extension’s
client data value.

Extensions that require authenticator processing MUST define the process by which the client argument can be used to determine
the authenticator argument.

7.5. Extending authenticator processing

Extensions that define additional authenticator processing may similarly define an authenticator data value. The value may be
any data that can be encoded in CBOR. An authenticator that processes an authentication extension that defines such a value must
include it in the authenticatorData.

As specified in §5.2.1 Authenticator data, the authenticator data value of each processed extension is included in the
extended data part of the authenticatorData. This part is a CBOR map, with extension identifiers as keys, and the
authenticator data value of each extension as the value.

7.6. Example extension

This section is not normative.

To illustrate the requirements above, consider a hypothetical extension "Geo". This extension, if supported, lets both clients
and authenticators embed their geolocation in assertions.

The extension identifier is chosen as webauthnExample_geo. The client argument is the constant value true, since the
extension does not require the Relying Party to pass any particular information to the client, other than that it requests the use
of the extension. The Relying Party sets this value in its request for an assertion:

The extension also requires the client to set the authenticator parameter to the fixed value true.

Finally, the extension requires the authenticator to specify its geolocation in the authenticator data, if known. The extension
e.g. specifies that the location shall be encoded as a two-element array of floating point numbers, encoded with CBOR. An
authenticator does this by including it in the authenticatorData. As an example, authenticator data may be as follows
(notation taken from [RFC7049]):

The authenticator MUST display the content to the user before performing the user verification / test of user
presence. The authenticator may add other information below the content. No changes are allowed to the content itself, i.e., inside content boundary box.

Authenticator data

The hash value of the content which was displayed. The authenticator MUST use the same hash algorithm as it uses for
the signature itself.

8.2. Authenticator Selection Extension

This registration extension allows a Relying Party to guide the selection of the authenticator that will be leveraged when creating the
credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.

This extension can only be used during makeCredential(). If the client supports the Authenticator Selection Extension, it
MUST use the first available authenticator whose AAGUID is present in the AuthenticatorSelectionList. If none of
the available authenticators match a provided AAGUID, the client MUST select an authenticator from among the available
authenticators to generate the credential.

Authenticator argument

There is no authenticator argument.

Authenticator processing

None.

8.3. SupportedExtensions Extension

Extension identifier

webauthn_exts

Client argument

The Boolean value true to indicate that this extension is requested by the Relying Party.

The authenticator augments the authenticator data with a user verification index indicating the method used by the
user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

Authenticator data

The user verification index (UVI) is a value uniquely identifying a user verification data record. The UVI is encoded as CBOR
byte string (type 0x58). Each UVI value MUST be specific to the related key (in order to provide unlinkability). It also
must contain sufficient entropy that makes guessing impractical. UVI values MUST NOT be reused by the Authenticator (for
other biometric data or users).

The UVI data can be used by servers to understand whether an authentication was authorized by the exact same biometric data
as the initial key generation. This allows the detection and prevention of "friendly fraud".

As an example, the UVI could be computed as SHA256(KeyID | SHA256(rawUVI)), where the rawUVI reflects (a) the biometric
reference data, (b) the related OS level user ID and (c) an identifier which changes whenever a factory reset is performed
for the device, e.g. rawUVI = biometricReferenceData | OSLevelUserID | FactoryResetCounter.

Servers supporting UVI extensions MUST support a length of up to 32 bytes for the UVI value.

If the authenticator does not support the extension, then the authenticator MUST ignore the extension request.
If the authenticator accepts the extension, then the authenticator SHOULD only add this extension data to a packed
attestation or assertion.

Authenticator data

If the authenticator accepts the extension request, then authenticator data SHOULD provide location data in the form of a
CBOR-encoded map, with the first value being the extension identifier and the second being an array of returned values. The array
elements SHOULD be derived from (key,value) pairings for each location attribute that the authenticator supports. The following is
an example of authenticator data where the returned array is comprised of a {longitude, latitude, altitude} triplet, following the
coordinate representation defined in The W3C Geolocation API
Specification.

The authenticator augments the authenticator data with a user verification index indicating the method used by the
user to authorize the operation, as defined below. This extension can be added to attestation statements and assertions.

Authenticator data

Authenticators can report up to 3 different user verification methods (factors) used in a single authentication instance.
To accommodate this possibility the UVM is encoded as CBOR array (major type 4) with a maximum allowed length of 3 -

Type 0x81 – only 1 factor was used for authentication.

Type 0x82 – 2 factors were used.

Type 0x83 – 3 or more factors were used.

Each data item is in turn a CBOR array of length 3 (type 0x83) with the following data items:

Data Item 1 – User Verification Method. This is the authentication method/factor used by the authenticator to verify
the user. Available values are defined in the FIDO Registry of Predefined Values, ‘User Verification
Methods’ section. It is encoded as a CBOR unsigned integer (Major type 0).

Data Item 2 – Key Protection Type. This is the method used by the authenticator to protect the FIDO registration
private key material. Available values are defined in the FIDO Registry of Predefined Values, ‘Key
Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0).

Data Item 3 – Matcher Protection Type. This is the method used by the authenticator to protect the matcher that
performs user verification. Available values are defined in the FIDO Registry of Predefined Values,
‘Matcher Protection Types’ section. It is encoded as a CBOR 2 byte unsigned short (Major type 0).

This is repeated for each factor used in the authentication instance.

If >3 factors can be used in an authentication instance the authenticator vendor must select the 3 factors it believes
will be most relevant to the Server to include in the UVM.

Servers supporting the UVM extension MUST support a length up to 36 bytes for a 3 factor maximum UVM value.

Example for rawData containing one UVM extension for a multi-factor authentication instance where 2 factors were used:

9. IANA Considerations

This specification registers the algorithm names "S256", "S384", "S512", and "SM3" with the IANA JSON Web Algorithms registry as
defined in section "Cryptographic Algorithms for Digital Signatures and MACs" in [RFC7518].

10. Sample scenarios

This section is not normative.

In this section, we walk through some events in the lifecycle of a scoped credential, along with the corresponding sample code
for using this API. Note that this is an example flow, and does not limit the scope of how the API can be used.

As was the case in earlier sections, this flow focuses on a use case involving an external first-factor authenticator with its own display. One example of such an authenticator would be a smart phone. Other authenticator types are also supported
by this API, subject to implementation by the platform. For instance, this flow also works without modification for the case of
an authenticator that is embedded in the client platform. The flow also works for the case of an authenticator without
its own display (similar to a smart card) subject to specific implementation considerations. Specifically, the client platform
needs to display any prompts that would otherwise be shown by the authenticator, and the authenticator needs to allow the client
platform to enumerate all the authenticator’s credentials so that the client can have information to show appropriate prompts.

10.1. Registration

This is the first-time flow, in which a new credential is created and registered with the server.

The user visits example.com, which serves up a script. At this point, the user must already be logged in using a legacy
username and password, or additional authenticator, or other means acceptable to the Relying Party.

The Relying Party script runs the code snippet below.

The client platform searches for and locates the authenticator.

The client platform connects to the authenticator, performing any pairing actions if necessary.

The authenticator shows appropriate UI for the user to select the authenticator on which the new credential will be
created, and obtains a biometric or other authorization gesture from the user.

The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script. If
the user declined to select an authenticator or provide authorization, an appropriate error is returned.

If a new credential was created,

The Relying Party script sends the newly generated public key to the server, along with additional information about public key
such as attestation that it is held in trusted hardware.

The server stores the public key in its database and associates it with the user as well as with the strength of
authentication indicated by attestation, also storing a friendly name for later use.

The script may store data such as the credential ID in local storage, to improve future UX by narrowing the choice of
credential for the user.

10.2. Authentication

This is the flow when a user with an already registered credential visits a website and wants to authenticate using the
credential.

The user visits example.com, which serves up a script.

The script asks the client platform for a WebAuthn identity assertion, providing as much information as possible to narrow
the choice of acceptable credentials for the user. This may be obtained from the data that was stored locally after
registration, or by other means such as prompting the user for a username.

The client platform connects to the authenticator, performing any pairing actions if necessary.

The authenticator presents the user with a notification that their attention is required. On opening the
notification, the user is shown a friendly selection menu of acceptable credentials using the account information provided
when creating the credentials, along with some information on the origin that is requesting these keys.

The authenticator obtains a biometric or other authorization gesture from the user.

The authenticator returns a response to the client platform, which in turn returns a response to the Relying Party script.
If the user declined to select a credential or provide an authorization, an appropriate error is returned.

If an assertion was successfully generated and returned,

The script sends the assertion to the server.

The server examines the assertion and validates that it was correctly generated. If so, it looks up the identity
associated with the associated public key; that identity is now authenticated. If the public key is not recognized by
the server (e.g., deregistered by server due to inactivity) then the authentication has failed; each Relying Party will handle
this in its own way.

The server now does whatever it would otherwise do upon successful authentication -- return a success page, set
authentication cookies, etc.

If the Relying Party script does not have any hints available (e.g., from locally stored data) to help it narrow the list of credentials,
then the sample code for performing such an authentication might look like this:

On the other hand, if the Relying Party script has some hints to help it narrow the list of credentials, then the sample code for
performing such an authentication might look like the following. Note that this sample also demonstrates how to use the
extension for transaction authorization.